CYSA Test Questions And 100% Verified Solutions
You just visited an e-commerce website by typing in its URL during a vulnerability
assessment. You discovered that an administrative web frontend for the server's
backend application is accessible over the internet. Testing this frontend, you
discovered that the default password for the application is accepted. Which of the
following recommendations should you make to the website owner to remediate this
discovered vulnerability? - ANSWER 1. Whitelist all specific IP blocks that use the
application
2. Require MFA for access to the application
3. Change the username and default password
You need to perform an architectural review and select a view that focuses on the
technologies, settings, and configurations used within the architecture. Which of the
following views should you select? - ANSWER Technical view; A technical view
focuses on technologies, settings, and configurations.
You have been asked to recommend a capability to monitor all of the traffic entering and
leaving the corporate network's default gateway. Additionally, the company's CIO
requests to block certain content types before it leaves the network based on
operational priorities. Which of the following solution should you recommend to meet
these requirements? - ANSWER Install a NIPS on the internal interface and a firewall
on the external interface of a router. The firewall on the external interface will allow the
bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the
NIPS can be used to inspect the traffic entering the network and provide protection for
the network using signature-based or behavior-based analysis.
A financial services company wants to donate some old hard drives from their servers to
a local charity. Still, they are concerned about the possibility of residual data being left
on the drives. Which of the following secure disposal methods would you recommend
the company use? - ANSWER In a cryptographic erase (CE), the storage media is
encrypted by default. The encryption key itself is destroyed during the erasing
operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-
state devices.
According to Lockheed Martin's white paper "Intel Driven Defense," which of the
following technologies could degrade an adversary's effort during the actions on the
objectives phase of the kill chain? - ANSWER QoS; If the adversary is attempting to
exfiltrate data, implementing a quality of service approach could potentially slow down
the rate at which information could be exfiltrated.
,You are investigating a suspected compromise. You have noticed several files that you
don't recognize. How can you quickly and effectively check if the files have been
infected with malware? - ANSWER Submit the files to Virus Total; (You should never
scan the files using a local anti-virus or anti-malware engine if you suspect the
workstation or server has already been compromised because the scanner may also be
compromised.)
Sarah has reason to believe that systems on her network have been compromised by
an APT. She has noticed many file transfers outbound to a remote site via TLSprotected
HTTPS sessions from unknown systems. Which of the following techniques would most
likely detect the APT? - ANSWER APTs usually send encrypted traffic so that they are
harder to detect through network traffic analysis or network forensics. This means that
you need to focus on the endpoints to detect an APT.
OSSIM - ANSWER Open source SIEM solution
Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used
to support a virtual private network (VPN)? - ANSWER IPSec is the most secure
protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN
security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan
as an issue to be remediated.
Which of the following elements is LEAST likely to be included in an organization's data
retention policy? - ANSWER Data classification would not be covered in the retention
policy but would be a key part of your organization's data classification policy.
Which term is used in software development to refer to the method in which app and
platform updates are committed to a production environment rapidly? - ANSWER
Continuous deployment is a software development method in which app and platform
updates are committed to production rapidly.
An organization is conducting a cybersecurity training exercise. Which team is Jason
assigned to if he has been asked to monitor and manage the defenders and attackers'
technical environment during the exercise? - ANSWER White team; The white team
acts as the judges, enforces the rules of the exercise, observes the exercise, scores
teams, resolves any problems that may arise, handles all requests for information or
questions, and ensures that the competition runs fairly.
You have evidence to believe that an attacker was scanning your network from an IP
address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter
through several logs using a REGEX for anything that came from that subnet. What
REGEX expression would provide the appropriate output when searching the logs for
any traffic originating from only IP addresses within that subnet? - ANSWER
\b172\.16\.1\.(25[0-5]|19[2-9]|2[0-4][0-9])\b
, The \b delimiter indicates that we are looking for whole words for the complete string
You suspect that a service called explorer.exe on a Windows server is malicious, and
you need to terminate it. Which of the following tools would NOT be able to terminate it?
- ANSWER secpol.msc; The security policy auditor (secpol.msc) will allow an
authorized administrator the option to change a great deal about an operating system,
but it cannot explicitly stop a process or service that is already running.
Praveen is currently investigating activity from an attacker who compromised a host on
the network. The individual appears to have used credentials belonging to a janitor.
After breaching the system, the attacker entered some unrecognized commands with
very long text strings and then began using the sudo command to carry out actions.
What type of attack has just taken place? - ANSWER Privilege escalation attack
Jonathan's team completed the first phase of their incident response process. They are
currently assessing the time to recover from the incident. Using the NIST recoverability
effort categories, the team has decided to predict the time to recover, but this requires
additional resources. How should he categorize this using the NIST model? - ANSWER
Based on the scenario given, the best choice is supplemented.
Evaluate the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT=
MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10
LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583
DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-
=-=-=-=-=-=-=-=-=-Based on this log entry, which of the following statements are true?
- ANSWER - A telnet connection was prevented -The
packet was blocked inbound to the network
You are analyzing DNS logs looking for indicators of compromise associated with the
use of a fast-flux network. You are already aware that the names involved in this
particular fast-flux network are longer than 50 characters and always end in a .org
toplevel domain. Which of the following REGEGX expressions would you use to filter
DNS traffic that matches this? - ANSWER \b[A-Za-z0-9\.\-]{50,251}+\.org
The first phrase before the + sign indicates to match between 50 and 251 instances of
any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol).
Vulnerability scans must be conducted continuously to meet regulatory compliance
requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity
analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief
Information Security Officer (CISO) for a plan to remediate all the known issues. Which
of the following should the analyst do next? - ANSWER Filter the scan results to
include only those items listed as critical in the asset inventory and remediate those
vulnerabilities first.
You just visited an e-commerce website by typing in its URL during a vulnerability
assessment. You discovered that an administrative web frontend for the server's
backend application is accessible over the internet. Testing this frontend, you
discovered that the default password for the application is accepted. Which of the
following recommendations should you make to the website owner to remediate this
discovered vulnerability? - ANSWER 1. Whitelist all specific IP blocks that use the
application
2. Require MFA for access to the application
3. Change the username and default password
You need to perform an architectural review and select a view that focuses on the
technologies, settings, and configurations used within the architecture. Which of the
following views should you select? - ANSWER Technical view; A technical view
focuses on technologies, settings, and configurations.
You have been asked to recommend a capability to monitor all of the traffic entering and
leaving the corporate network's default gateway. Additionally, the company's CIO
requests to block certain content types before it leaves the network based on
operational priorities. Which of the following solution should you recommend to meet
these requirements? - ANSWER Install a NIPS on the internal interface and a firewall
on the external interface of a router. The firewall on the external interface will allow the
bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the
NIPS can be used to inspect the traffic entering the network and provide protection for
the network using signature-based or behavior-based analysis.
A financial services company wants to donate some old hard drives from their servers to
a local charity. Still, they are concerned about the possibility of residual data being left
on the drives. Which of the following secure disposal methods would you recommend
the company use? - ANSWER In a cryptographic erase (CE), the storage media is
encrypted by default. The encryption key itself is destroyed during the erasing
operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-
state devices.
According to Lockheed Martin's white paper "Intel Driven Defense," which of the
following technologies could degrade an adversary's effort during the actions on the
objectives phase of the kill chain? - ANSWER QoS; If the adversary is attempting to
exfiltrate data, implementing a quality of service approach could potentially slow down
the rate at which information could be exfiltrated.
,You are investigating a suspected compromise. You have noticed several files that you
don't recognize. How can you quickly and effectively check if the files have been
infected with malware? - ANSWER Submit the files to Virus Total; (You should never
scan the files using a local anti-virus or anti-malware engine if you suspect the
workstation or server has already been compromised because the scanner may also be
compromised.)
Sarah has reason to believe that systems on her network have been compromised by
an APT. She has noticed many file transfers outbound to a remote site via TLSprotected
HTTPS sessions from unknown systems. Which of the following techniques would most
likely detect the APT? - ANSWER APTs usually send encrypted traffic so that they are
harder to detect through network traffic analysis or network forensics. This means that
you need to focus on the endpoints to detect an APT.
OSSIM - ANSWER Open source SIEM solution
Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used
to support a virtual private network (VPN)? - ANSWER IPSec is the most secure
protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN
security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan
as an issue to be remediated.
Which of the following elements is LEAST likely to be included in an organization's data
retention policy? - ANSWER Data classification would not be covered in the retention
policy but would be a key part of your organization's data classification policy.
Which term is used in software development to refer to the method in which app and
platform updates are committed to a production environment rapidly? - ANSWER
Continuous deployment is a software development method in which app and platform
updates are committed to production rapidly.
An organization is conducting a cybersecurity training exercise. Which team is Jason
assigned to if he has been asked to monitor and manage the defenders and attackers'
technical environment during the exercise? - ANSWER White team; The white team
acts as the judges, enforces the rules of the exercise, observes the exercise, scores
teams, resolves any problems that may arise, handles all requests for information or
questions, and ensures that the competition runs fairly.
You have evidence to believe that an attacker was scanning your network from an IP
address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter
through several logs using a REGEX for anything that came from that subnet. What
REGEX expression would provide the appropriate output when searching the logs for
any traffic originating from only IP addresses within that subnet? - ANSWER
\b172\.16\.1\.(25[0-5]|19[2-9]|2[0-4][0-9])\b
, The \b delimiter indicates that we are looking for whole words for the complete string
You suspect that a service called explorer.exe on a Windows server is malicious, and
you need to terminate it. Which of the following tools would NOT be able to terminate it?
- ANSWER secpol.msc; The security policy auditor (secpol.msc) will allow an
authorized administrator the option to change a great deal about an operating system,
but it cannot explicitly stop a process or service that is already running.
Praveen is currently investigating activity from an attacker who compromised a host on
the network. The individual appears to have used credentials belonging to a janitor.
After breaching the system, the attacker entered some unrecognized commands with
very long text strings and then began using the sudo command to carry out actions.
What type of attack has just taken place? - ANSWER Privilege escalation attack
Jonathan's team completed the first phase of their incident response process. They are
currently assessing the time to recover from the incident. Using the NIST recoverability
effort categories, the team has decided to predict the time to recover, but this requires
additional resources. How should he categorize this using the NIST model? - ANSWER
Based on the scenario given, the best choice is supplemented.
Evaluate the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT=
MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10
LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583
DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-
=-=-=-=-=-=-=-=-=-Based on this log entry, which of the following statements are true?
- ANSWER - A telnet connection was prevented -The
packet was blocked inbound to the network
You are analyzing DNS logs looking for indicators of compromise associated with the
use of a fast-flux network. You are already aware that the names involved in this
particular fast-flux network are longer than 50 characters and always end in a .org
toplevel domain. Which of the following REGEGX expressions would you use to filter
DNS traffic that matches this? - ANSWER \b[A-Za-z0-9\.\-]{50,251}+\.org
The first phrase before the + sign indicates to match between 50 and 251 instances of
any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol).
Vulnerability scans must be conducted continuously to meet regulatory compliance
requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity
analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief
Information Security Officer (CISO) for a plan to remediate all the known issues. Which
of the following should the analyst do next? - ANSWER Filter the scan results to
include only those items listed as critical in the asset inventory and remediate those
vulnerabilities first.
